Grøstl is an iterated
hash function, where the compression function is built from two fixed, large,
different permutations. The design of Grøstl is transparent and
based on principles very different from those used in the SHA-family.

The two permutations used are constructed using the wide trail design
strategy, which makes it possible to give strong statements about the
resistance of Grøstl against large classes of cryptanalytic
attacks. Moreover, if these permutations are assumed to be ideal,
there is a proof for the security of the hash function.

Grøstl is a byte-oriented SP-network which borrows components
from the AES. The S-box used is identical to the one used in the
block cipher AES and the diffusion layers are constructed in a
similar manner to those of the AES. As a consequence there is a very
strong confusion and diffusion in Grøstl.

Grøstl is a so-called wide-pipe construction where the size of the
internal state is significantly larger than the size of the
output. This has the effect that all known, generic attacks on
the hash function are made much more difficult.

Grøstl has good performance on a wide range of different
platforms, and counter-measures against side-channel attacks are
well-understood from similar work on the AES.